survey

Human Factors in Phishing Attacks: A Systematic Literature Review

Authors:

Giuseppe Desolda,

Lauren S. Ferro,

Andrea Marrella,

Tiziana Catarci,

Maria Francesca CostabileAuthors Info & Claims

ACM Computing Surveys (CSUR), Volume 54, Issue 8

Article No.: 173, Pages 1 - 35

https://doi.org/10.1145/3469886

Published: 04 October 2021 Publication History

Abstract

Phishing is the fraudulent attempt to obtain sensitive information by disguising oneself as a trustworthy entity in digital communication. It is a type of cyber attack often successful because users are not aware of their vulnerabilities or are unable to understand the risks. This article presents a systematic literature review conducted to draw a “big picture” of the most important research works performed on human factors and phishing. The analysis of the retrieved publications, framed along the research questions addressed in the systematic literature review, helps in understanding how human factors should be considered to defend against phishing attacks. Future research directions are also highlighted.

References

[1]

Hossein Abroshan, Jan Devos, Geert Poels, and Eric Laermans. 2018. Phishing attacks root causes. In Risks and Security of Internet and Systems. Springer, 187–202. https://doi.org/10.1007/978-3-319-76687-4_13

[2]

Sara Albakry, Kami Vaniea, and Maria K. Wolters. 2020. What is this URL’s destination? Empirical evaluation of users’ URL reading. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems. 1–12.

Digital Library

[3]

Hussain Aldawood and Geoffrey Skinner. 2019. Reviewing cyber security social engineering training and awareness programs—Pitfalls and ongoing issues. Future Internet 11, 3 (2019), 73.

[4]

Khalid Adnan Alissa, Hanan Abdullah Alshehri, Shahad Abdulaziz Dahdouh, Basstaa Mohammad Alsubaie, Afnan Mohammed Alghamdi, Abdulrahman Alharby, and Norah Ahmed Almubairik. 2018. An instrument to measure human behavior toward cyber security policies. In Proceedings of the 21st Saudi Computer Society National Computer Conference (NCC’18). IEEE, Los Alamitos, CA, 1–6.

[5]

A. Almomani, B. B. Gupta, S. Atawneh, A. Meulenberg, and E. Almomani. 2013. A survey of phishing email filtering techniques. IEEE Communications Surveys Tutorials 15, 4 (2013), 2070–2090.

[6]

Manal Alohali, Nathan Clarke, Steven Furnell, and Saad Albakri. 2017. Information security behavior: Recognizing the influencers. In Proceedings of the 2017 Computing Conference.IEEE, Los Alamitos, CA, 844–853.

[7]

Mohamed Alsharnouby, Furkan Alaca, and Sonia Chiasson. 2015. Why phishing still works: User strategies for combating phishing attacks. International Journal of Human-Computer Studies 82 (2015), 69–82.

Digital Library

[8]

Kholoud Althobaiti, Nicole Meng, and Kami Vaniea. 2021. I don’t need an expert! Making URL phishing features human comprehensible. In Proceedings of the 2021 ACM CHI Conference on Human Factors in Computing Systems. ACM, New York, NY.

Digital Library

[9]

Edward G. Amoroso. 2007. Cyber Security. Silicon Press.

[10]

Joseph Aneke, Carmelo Ardito, and Giuseppe Desolda. 2020. Designing an intelligent user interface for preventing phishing attacks. In Beyond Interactions. Springer, 97–106. https://doi.org/10.1007/978-3-030-46540-7_10

[11]

N. A. G. Arachchilage, S. Love, and K. Beznosov. 2016. Phishing threat avoidance behaviour: An empirical investigation. Computers in Human Behavior 60 (2016), 185–197.

Digital Library

[12]

Calvin Ardi and John Heidemann. 2016. AuntieTuna: Personalized content-based phishing detection. In Proceedings of the Workshop on Usable Security (USEC’16). https://doi.org/10.14722/usec.2016.23012

[13]

Ayman Asfoor, Fiza Abdul Rahim, and Salman Yussof. 2018. Factors influencing information security awareness of phishing attacks from bank customers’ perspective: A preliminary investigation. In Recent Trends in Data Science and Soft Computing.Advances in Intelligent Systems and Computing, Vol. 843. Springer, 641–654.

[14]

International Ergonomics Association. 2021. Definition, Domains of Specialization, Systemic Approach. Retrieved April 26, 2021 from https://iea.cc/definition-and-domains-of-ergonomics/.

[15]

AtlasVPN. 2021. A Record 2 Million Phishing Sites Reported in 2020, Highest in a Decade. Retrieved June 10, 2021 from https://atlasvpn.com/blog/a-record-2-million-phishing-sites-reported-in-2020-highest-in-a-decade.

[16]

J. Avery, M. Almeshekah, and E. Spafford. 2017. Offensive deception in computing. In Proceedings of the 12th International Conference on Cyber Warfare and Security (ICCWS’17). 23–31.

[17]

Nikos Benias and Angelos P. Markopoulos. 2018. Hacking the human: Exploiting primordial instincts. In Proceedings of the 2018 South-Eastern European Design Automation, Computer Engineering, Computer Networks, and Society Media Conference.IEEE, Los Alamitos, CA, 1–6.

[18]

Jonathan M. Bischof and Edoardo M. Airoldi. 2012. Summarizing topical content with word frequency and exclusivity. In Proceedings of the 29th International Conference on Machine Learning (ICML’12). 9–16.

Digital Library

[19]

David M. Blei and John D. Lafferty. 2009. Visualizing topics with multi-word expressions. arxiv:stat.ML/0907.1013.

[20]

David M. Blei, Andrew Y. Ng, and Michael I. Jordan. 2003. Latent Dirichlet allocation. Journal of Machine Learning Research 3 (2003), 993–1022.

Digital Library

[21]

Edward G.2020. Google Registers a 350% Increase in Phishing Websites Amid Quarantine. Retrieved June 10, 2021 from https://atlasvpn.com/blog/google-registers-a-350-increase-in-phishing-websites-amid-quarantine.

[22]

L. Jean Camp. 2009. Mental models of privacy and security. IEEE Technology and Society Magazine 28, 3 (2009), 37–46.

[23]

Casey Inez Canfield, Baruch Fischhoff, and Alex Davis. 2016. Quantifying phishing susceptibility for detection and behavior decisions. Human Factors: The Journal of the Human Factors and Ergonomics Society 58, 8 (2016), 1158–1172. https://doi.org/10.1177/0018720816665025

[24]

Gamze Canova, Melanie Volkamer, Clemens Bergmann, and Benjamin Reinheimer. 2015. NoPhish app evaluation: Lab and retention study. In Proceedings of the Workshop on Usable Security (USEC’15).

[25]

Allison June-Barlow Chaney and David M. Blei. 2012. Visualizing topic models. In Proceedings of the 6th AAAI Conference on Weblogs and Social Media. https://www.aaai.org/ocs/index.php/ICWSM/ICWSM12/paper/viewPaper/4645.

[26]

Jonathan Chang, Sean Gerrish, Chong Wang, Jordan L. Boyd-Graber, and David M. Blei. 2009. Reading tea leaves: How humans interpret topic models. In Advances in Neural Information Processing Systems 22. Curran Associates, 288–296. http://papers.nips.cc/paper/3700-reading-tea-leaves-how-humans-interpret-topic-models.pdf.

Digital Library

[27]

Bi Chen, Leilei Zhu, Daniel Kifer, and Dongwon Lee. 2010. What is an opinion about? Exploring political standpoints using opinion scoring model. In Proceedings of the 24th AAAI Conference on Artificial Intelligence. http://www.aaai.org/ocs/index.php/AAAI/AAAI10/paper/view/1863.

Digital Library

[28]

Jing Chen, Scott Mishler, Bin Hu, Ninghui Li, and Robert W. Proctor. 2018. The description–experience gap in the effect of warning reliability on user trust and performance in a phishing-detection context. International Journal of Human-Computer Studies 119 (2018), 35–47.

[29]

Bobby Chesney and Danielle Citron. 2019. Deep fakes: A looming challenge for privacy, democracy, and national security. California Law Review 107 (2019), 1–69.

[30]

Kang Leng Chiew, Kelvin Sheng Chek Yong, and Choon Lin Tan. 2018. A survey of phishing attacks: Their types, vectors and technical approaches. Expert Systems with Applications 106 (2018), 1–20. https://doi.org/10.1016/j.eswa.2018.03.050

[31]

Yee-Yin Choong and Mary Theofanos. 2015. What 4,500+ people can tell you—Employees’ attitudes toward organizational password policy do matter. In Proceedings of the International Conference on Human Aspects of Information Security, Privacy, and Trust. 299–310.

Digital Library

[32]

Jason Chuang, Yuening Hu, Ashley Jin, John D. Wilkerson, Daniel A. McFarland, Christopher D. Manning, and Jeffrey Heer. 2013. Document exploration with topic modeling: Designing interactive visualizations to support effective analysis workflows. In Proceedings of the NIPS Workshop on Topic Models: Computation, Application, and Evaluation. https://mimno.infosci.cornell.edu/nips2013ws/nips2013tm_submission_17.pdf.

[33]

Jason Chuang, Christopher D. Manning, and Jeffrey Heer. 2012. Termite: Visualization techniques for assessing textual topic models. In Proceedings of the International Conference on Advanced Visual Interfaces (AVI’12). ACM, Los Alamitos, CA, 74–77. https://doi.org/10.1145/2254556.2254572

Digital Library

[34]

Robert B. Cialdini. 2009. Influence: Science and Practice. Vol. 4. Pearson Education, Boston, MA.

[35]

Raviv Cohen and Derek Ruths. 2013. Classifying political orientation on Twitter: It’s not easy! In Proceedings of the 7th International AAAI Conference on Weblogs and Social Media.

[36]

Isabella Corradini and Enrico Nardelli. 2018. Building organizational risk culture in cyber security: The role of human factors. In Advances in Human Factors in Cybersecurity.Advances in Intelligent Systems and Computing, Vol. 782. Springer, 193–202.

[37]

Lorrie Faith Cranor. 2008. A framework for reasoning about the human in the loop. In Proceedings of the 1st Conference on Usability, Psychology, and Security (UPSEC’08). https://dl.acm.org/doi/10.5555/1387649.1387650.

Digital Library

[38]

L. F. Cranor and S. Garfinkel. 2004. Editors’ introduction: Secure or usable?IEEE Security & Privacy 2, 5 (2004), 16–18.

Digital Library

[39]

Marco Cristani, Alessandro Perina, Umberto Castellani, and Vittorio Murino. 2008. Geo-located image analysis using latent representations. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. 1–8.

Digital Library

[40]

Giuseppe Desolda, Francesco Di Nocera, Lauren Ferro, Rosa Lanzilotti, Piero Maggi, and Andrea Marrella. 2019. Alerting users about phishing attacks. In Proceedings of the 21st International Conference on Human-Computer Interaction. 134–148.

[41]

Julie S. Downs, Mandy Holbrook, and Lorrie Faith Cranor. 2007. Behavioral response to phishing risk. In Proceedings of the Anti-Phishing Working Group’s 2nd Annual eCrime Researchers Summit. ACM, New York, NY, 37–44.

Digital Library

[42]

Julie S. Downs, Mandy B. Holbrook, and Lorrie Faith Cranor. 2006. Decision strategies and susceptibility to phishing. In Proceedings of the 2nd Symposium on Usable Privacy and Security (SOUPS’06). ACM, New York, NY, 79–90.

Digital Library

[43]

Susan T. Dumais. 2004. Latent semantic analysis. Annual Review of Information Science and Technology 38, 1 (2004), 188–230.

[44]

Gordon Dupont. 1997. The dirty dozen errors in maintenance. In Proceedings of the 11th Meeting on Human Factors in Aviation Maintenance and Inspection.

[45]

Serge Egelman, Lorrie Faith Cranor, and Jason Hong. 2008. You’ve been warned: An empirical study of the effectiveness of web browser phishing warnings. In Proceedings of the 26th International Conference on Human Factors in Computing Systems (CHI’08). ACM, New York, NY.

Digital Library

[46]

Jacob Eisenstein, Brendan O’Connor, Noah A. Smith, and Eric P. Xing. 2010. A latent variable model for geographic lexical variation. In Proceedings of the 2010 Conference on Empirical Methods in Natural Language Processing (EMNLP’10). 1277–1287. https://dl.acm.org/doi/10.5555/1870658.1870782.

Digital Library

[47]

Jessica Ellis. 2020. COVID-19 Phishing Update: Campaigns Exploiting Hope for a Cure. Retrieved July 8, 2021 from https://info.phishlabs.com/blog/covid-phishing-update-campaigns-addressing-a-cure.

[48]

Ana Ferreira and Soraia Teles. 2019. Persuasion: How phishing emails can influence users and bypass security measures. International Journal of Human-Computer Studies 125 (2019), 19–31.

Digital Library

[49]

Arlene Fink. 2019. Conducting Research Literature Reviews: From the Internet to Paper. SAGE.

[50]

Waldo Rocha Flores and Mathias Ekstedt. 2012. A model for investigating organizational impact on information security behavior. In Proceedings of the Pre-ICIS Workshop on Information Security and Privacy (SIGSEC’12).

[51]

B. Fuglede and F. Topsoe. 2004. Jensen-Shannon divergence and Hilbert space embedding. In Proceedings of the International Symposium on Information Theory (ISIT’04).

[52]

Yotamu Gangire, Adele Da Veiga, and Marlien Herselman. 2019. A conceptual model of information security compliant behaviour based on the self-determination theory. In Proceedings of the 2019 Conference on Information Communications Technology and Society (ICTAS’19). IEEE, Los Alamitos, CA, 1–6.

[53]

Matthew J. Gardner, Joshua Lutes, Jeff Lund, Josh Hansen, Dan Walker, Eric Ringger, and Kevin Seppi. 2010. The topic browser: An interactive tool for browsing topic models. In NIPS Workshop on Challenges of Data Visualization, Vol. 2. Whistler Canada.

[54]

Henry W. Glaspie and Waldemar Karwowski. 2017. Human factors in information security culture: A literature review. In Proceedings of the International Conference on Applied Human Factors and Ergonomics. 269–280. https://doi.org/10.1007/978-3-319-60585-2_25

[55]

Sanjay Goel, Kevin Williams, and Ersin Dincelli. 2017. Got phished? Internet security and human vulnerability. Journal of the Association for Information Systems 18, 1 (2017), 22–44.

[56]

Derek Greene and James P. Cross. 2015. Unveiling the political agenda of the European Parliament plenary: A topical analysis. In Proceedings of the ACM Web Science Conference (WebSci’15). 1–10.

Digital Library

[57]

IBM. 2014. IBM Security Services 2014 Cyber Security Intelligence Index. Retrieved June 10, 2021 from https://i.crn.com/sites/default/files/ckfinderimages/userfiles/images/crn/custom/IBMSecurityServices2014.PDF.

[58]

IBM. 2020. IBM X-Force Threat Intelligence Index. Retrieved June 10, 2021 from https://www.ibm.com/security/digital-assets/xforce-threat-intelligence-index-map.

[59]

ITU. 2009. Overview of Cybersecurity. Recommendation ITU-T X.1205. Retrieved July 9, 2021 fromhttp://www.itu.int/rec/T-REC-X.1205-200804-I/en.

[60]

K. Jansson and R. von Solms. 2013. Phishing for phishing awareness. Behaviour & Information Technology 32, 6 (2013), 584–593.

[61]

Hamed Jelodar, Yongli Wang, Chi Yuan, Xia Feng, Xiahui Jiang, Yanchao Li, and Liang Zhao. 2019. Latent Dirichlet Allocation (LDA) and topic modeling: Models, applications, a survey. Multimedia Tools and Applications 78, 11 (2019), 15169–15211. https://doi.org/10.1007/s11042-018-6894-4

Digital Library

[62]

Matthew Jensen, Alexandra Durcikova, and Ryan Wright. 2017. Combating phishing attacks: A knowledge management approach. In Proceedings of the 50th Hawaii International Conference on System Sciences.

[63]

Zaixing Jiang, Xuezhong Zhou, Xiaoping Zhang, and Shibo Chen. 2012. Using link topic model to analyze traditional Chinese medicine clinical symptom-herb regularities. In Proceedings of the 14th International Conference on e-Health Networking, Applications, and Services (HealthCom’12). IEEE, Los Alamitos, CA, 15–18.

[64]

A. Karakasiliotis, S. M. Furnell, and M. Papadaki. 2006. Assessing end-user awareness of social engineering and phishing. In Proceedings of the 7th Australian Information Warfare and Security Conference.

[65]

M. Khonji, Y. Iraqi, and A. Jones. 2013. Phishing detection: A literature survey. IEEE Communications Surveys Tutorials 15, 4 (2013), 2091–2121.

[66]

Iacovos Kirlappos and Martina Angela Sasse. 2015. Fixing security together: Leveraging trust relationships to improve security in organizations. In Proceedings of the Workshop on Usable Security (USEC’15).

[67]

Barbara Kitchenham. 2004. Procedures for Performing Systematic Reviews. Technical Report. Department of Computer Science, Keele University, UK.

[68]

Ponnurangam Kumaraguru, Justin Cranshaw, Alessandro Acquisti, Lorrie Cranor, Jason Hong, Mary Ann Blair, and Theodore Pham. 2009. School of phish: A real-world evaluation of anti-phishing training. In Proceedings of the 5th Symposium on Usable Privacy and Security (SOUPS’09). ACM, New York, NY.

[69]

Ponnurangam Kumaraguru, Steve Sheng, Alessandro Acquisti, Lorrie Faith Cranor, and Jason Hong. 2010. Teaching Johnny not to fall for phish. ACM Transactions on Internet Technology 10, 2 (2010), 1–31.

Digital Library

[70]

Cynthia Kuo, Sasha Romanosky, and Lorrie Faith Cranor. 2006. Human selection of mnemonic phrase-based passwords. In Proceedings of the 2nd Symposium on Usable Privacy and Security (SOUPS’06). ACM, New York, NY, 67–78.

Digital Library

[71]

Elmer Lastdrager, Inés Carvajal Gallardo, Pieter Hartel, and Marianne Junger. 2017. How effective is anti-phishing training for children? In Proceedings of the 13th Symposium on Usable Privacy and Security (SOUPS’17). 229–239.

Digital Library

[72]

Elmer E. H. Lastdrager. 2014. Achieving a consensual definition of phishing based on a systematic review of the literature. Crime Science 3, 1 (2014), Article 9.

[73]

Fanny Lalonde Lévesque, Sonia Chiasson, Anil Somayaji, and José M. Fernandez. 2018. Technological and human factors of malware attacks: A computer security clinical trial approach. ACM Transactions on Privacy and Security 21, 4 (2018), 1–30.

Digital Library

[74]

James A. Lewis. 2006. Cybersecurity and Critical Infrastructure Protection. Center for Strategic and International Studies.

[75]

Divakaran Liginlal, Inkook Sim, and Lara Khansa. 2009. How significant is human error as a cause of privacy breaches? An empirical study and a framework for error management. Computers & Security 28, 3–4 (2009), 215–228.

Digital Library

[76]

Ilkwon Lim, Young-Gil Park, and Jae-Kwang Lee. 2016. Design of security training system for individual users. Wireless Personal Communications 90, 3 (2016), 1105–1120.

Digital Library

[77]

Tian Lin, Daniel E. Capecci, Donovan M. Ellis, Harold A. Rocha, Sandeep Dommaraju, Daniela S. Oliveira, and Natalie C. Ebner. 2019. Susceptibility to spear-phishing emails: Effects of Internet user demographics and email content. ACM Transactions on Computer-Human Interaction 26, 5 (2019), 1–28.

Digital Library

[78]

Cindy Lustig and Warren Meck. 2009. The overflowing brain: Information overload and the limits of working memory. New England Journal of Medicine 360, 14 (2009), 1469.

[79]

Claudio Marforio, Ramya Jayaram Masti, Claudio Soriente, Kari Kostiainen, and Srdjan Čapkun. 2016. Evaluation of personalized security indicators as an anti-phishing mechanism for smartphone applications. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems (CHI’16). ACM, New York, NY, 540–551.

Digital Library

[80]

Peter Mayer, Alexandra Kunz, and Melanie Volkamer. 2017. Reliable behavioural factors in the information security context. In Proceedings of the 12th International Conference on Availability, Reliability, and Security. ACM, New York, NY.

Digital Library

[81]

Steven McElwee, George Murphy, and Paul Shelton. 2018. Influencing outcomes and behaviors in simulated phishing exercises. In Proceedings of SoutheastCon 2018. IEEE, Los Alamitos, CA, 1–6.

[82]

Merriam-Webster. 2018. Definition of Cybersecurity in English by Merriam-Webster. Retrieved June 10, 2021 from https://www.merriam-webster.com/dictionary/cybersecurity.

[83]

Efthymia Metalidou, Catherine Marinagi, Panagiotis Trivellas, Niclas Eberhagen, Christos Skourlas, and Georgios Giannakopoulos. 2014. The human factor of information security: Unintentional damage perspective. Procedia: Social and Behavioral Sciences 147 (2014), 424–428.

[84]

Elizabeth Montalbano. 2020. Top Email Protections Fail in Latest COVID-19 Phishing Campaign. Retrieved July 9, 2021 from https://threatpost.com/top-email-protections-fail-covid-19-phishing/154329/.

[85]

Jema David Ndibwile, Youki Kadobayashi, and Doudou Fall. 2017. UnPhishMe: Phishing attack detection by deceptive login simulation through an Android mobile app. In Proceedings of the 12th Asia Joint Conference on Information Security (AsiaJCIS’17). IEEE, Los Alamitos, CA, 38–47.

[86]

David Newman, Youn Noh, Edmund Talley, Sarvnaz Karimi, and Timothy Baldwin. 2010. Evaluating topic models for digital libraries. In Proceedings of the 10th Annual Joint Conference on Digital Libraries (JCDL’10). ACM, New York, NY, 215–224. https://doi.org/10.1145/1816123.1816156

Digital Library

[87]

Mohammad A. Noureddine, Andrew Marturano, Ken Keefe, Masooda Bashir, and William H. Sanders. 2017. Accounting for the human user in predictive security models. In Proceedings of the 22nd Pacific Rim International Symposium on Dependable Computing (PRDC’17). IEEE, Los Alamitos, CA, 329–338.

[88]

Jude Jacob Nsiempba, Fanny Lalonde Lévesque, Nathalie de Marcellis-Warin, and José M. Fernandez. 2018. An empirical analysis of risk aversion in malware infections. In Risks and Security of Internet and Systems (CRiSIS’17). Springer, 260–267. https://doi.org/10.1007/978-3-319-76687-4_18

[89]

Jason R. C. Nurse. 2018. Cybercrime and you: How criminals attack and the human factors that they seek to exploit. The Oxford Handbook of Cyberpsychology, Alison Attrill-Smith, Chris Fullwood, Melanie Keep, and Daria J. Kuss (Eds.). Oxford University Press, Oxford, UK, 663–690.

[90]

Chitu Okoli and Kira Schabram. 2010. A guide to conducting a systematic literature review of information systems research. SSRN. Retrieved July 9, 2021 from https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1954824.

[91]

Daniela Oliveira, Natalie Ebner, Harold Rocha, Huizi Yang, Donovan Ellis, Sandeep Dommaraju, Melis Muradoglu, Devon Weir, Adam Soliman, and Tian Lin. 2017. Dissecting spear phishing emails for older vs young adults: On the interplay of weapons of influence and life domains in predicting susceptibility to phishing. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems (CHI’17). ACM, New York, NY, 6412–6424.

Digital Library

[92]

Kaan Onarlioglu, Utku Ozan Yilmaz, Engin Kirda, and Davide Balzarotti. 2012. Insights into user behavior in dealing with Internet attacks. In Proceedings of the NDSS Symposium.

[93]

Oxford Press. 2018. Definition of Cybersecurity in English by Oxford Dictionaries. Retrieved June 10, 2021 from https://en.oxforddictionaries.com/definition/Cybersecurity.

[94]

Kathryn Parsons, Marcus Butavicius, Paul Delfabbro, and Meredith Lillie. 2019. Predicting susceptibility to social influence in phishing emails. International Journal of Human-Computer Studies 128 (2019), 17–26.

Digital Library

[95]

Michael J. Paul and Mark Dredze. 2011. You are what you tweet: Analyzing Twitter for public health. In Proceedings of the 5th International AAAI Conference on Weblogs and Social Media.

[96]

Kevin Pfeffel, Philipp Ulsamer, and Nicholas H. Müller. 2019. Where the user does look when reading phishing mails—An eye-tracking study. In Proceedings of the International Conference on Human-Computer Interaction. 277–287.

[97]

Hiep Cong Pham, Duy Dang Pham, Linda Brennan, and Joan Richardson. 2017. Information security and people: A conundrum for compliance. Australasian Journal of Information Systems 21 (2017), 1–16.

[98]

Jennifer Preece, Yvonne Rogers, and Helen Sharp. 2019. Interaction Design: Beyond Human-Computer Interaction(5th ed.). Wiley.

[99]

Marc Prensky. 2001. Digital natives, digital immigrants. On the Horizon 9, 5 (2001), 1–6.

[100]

Daniel Ramage, Evan Rosen, Jason Chuang, Christopher D. Manning, and Daniel A. McFarland. 2009. Topic modeling for the social sciences. In Proceedings of the NIPS Workshop on Applications for Topic Models: Text and Beyond, Vol. 5. 27.

[101]

Justus Randolph. 2009. A guide to writing the dissertation literature review. Practical Assessment, Research, and Evaluation 14, 1 (2009), Article 13.

[102]

Robert W. Reeder, Adrienne Porter Felt, Sunny Consolvo, Nathan Malkin, Christopher Thompson, and Serge Egelman. 2018. An experience sampling study of user reactions to browser warnings in the field. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems (CHI’18). 1–13.

Digital Library

[103]

Joshua Reynolds, Deepak Kumar, Zane Ma, Rohan Subramanian, Meishan Wu, Martin Shelton, Joshua Mason, Emily Stark, and Michael Bailey. 2020. Measuring identity confusion with uniform resource locators. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems. 1–12.

Digital Library

[104]

Rimvydas Rukšėnas, Paul Curzon, and Ann Blandford. 2008. Modelling and analysing cognitive causes of security breaches. Innovations in Systems and Software Engineering 4, 2 (2008), 143–160.

[105]

Nader Sohrabi Safa, Mehdi Sookhak, Rossouw Von Solms, Steven Furnell, Norjihan Abdul Ghani, and Tutut Herawan. 2015. Information security conscious care behaviour formation in organizations. Computers & Security 53 (2015), 65–78.

Digital Library

[106]

Dawn M. Sarno, Joanna E. Lewis, Corey J. Bohil, and Mark B. Neider. 2020. Which phish is on the hook? Phishing vulnerability for older versus younger adults. Human Factors: The Journal of the Human Factors and Ergonomics Society 62, 5 (2020), 704–717.

[107]

Dawn M. Sarno and Mark B. Neider. 2021. So many phish, so little time: Exploring email task factors and phishing susceptibility. Human Factors: The Journal of the Human Factors and Ergonomics Society. Online ahead of print, April 9, 2021.

[108]

M. A. Sasse, S. Brostoff, and D. Weirich. 2001. Transforming the ‘Weakest Link’—A human/computer interaction approach to usable and effective security. BT Technology Journal 19, 3 (2001), 122–131.

Digital Library

[109]

Ben D. Sawyer and Peter A. Hancock. 2018. Hacking the human: The prevalence paradox in cybersecurity. Human Factors: The Journal of the Human Factors and Ergonomics Society 60, 5 (2018), 597–609.

[110]

Tanusree Sharma and Masooda Bashir. 2020. An analysis of phishing emails and how the human vulnerabilities are exploited. In Proceedings of the International Conference on Applied Human Factors and Ergonomics. 49–55.

[111]

Steve Sheng, Mandy Holbrook, Ponnurangam Kumaraguru, Lorrie Faith Cranor, and Julie Downs. 2010. Who falls for phish? A demographic analysis of phishing susceptibility and effectiveness of interventions. In Proceedings of the 2010 CHI Conference on Human Factors in Computing Systems (CHI’10). ACM, New York, NY, 373–382.

Digital Library

[112]

Steve Sheng, Bryant Magnien, Ponnurangam Kumaraguru, Alessandro Acquisti, Lorrie Faith Cranor, Jason Hong, and Elizabeth Nunge. 2007. Anti-Phishing Phil: The design and evaluation of a game that teaches people not to fall for phish. In Proceedings of the 3rd Symposium on Usable Privacy and Security (SOUPS’07). ACM, New York, NY, 88–99.

Digital Library

[113]

Kuldeep Singh, Palvi Aggarwal, Prashanth Rajivan, and Cleotilde Gonzalez. 2019. Training to detect phishing emails: Effects of the frequency of experienced phishing emails. In Proceedings of the Human Factors and Ergonomics Society Annual Meeting, Vol. 63. SAGE, Los Angeles, CA, 453–457.

[114]

Sergej Sizov. 2010. Geofolk: Latent spatial semantics in Web 2.0 social media. In Proceedings of the 3rd International Conference on Web Search and Data Mining (WSDM’10). 281–290.

Digital Library

[115]

Justin Snyder, Rebecca Knowles, Mark Dredze, Matthew Gormley, and Travis Wolfe. 2013. Topic models and metadata for visualizing text corpora. In Proceedings of the 2013 NAACL HLT Demonstration Session. 5–9. https://www.aclweb.org/anthology/N13-3002.

[116]

Human Factors and Ergonomics Society. 2021. Technical Groups. Retrieved June 10, 2021 from https://www.hfes.org/Connect/Technical-Groups.

[117]

Michael Stainbrook and Nicholas Caporusso. 2018. Convenience or strength? Aiding optimal strategies in password generation. In Advances in Intelligent Systems and Computing. Springer, 23–32.

[118]

Jeffrey M. Stanton, Kathryn R. Stam, Paul Mastrangelo, and Jeffrey Jolton. 2005. Analysis of end user security behaviors. Computers & Security 24, 2 (2005), 124–133.

Digital Library

[119]

Michelle P. Steves, Kristen K. Greene, and Mary F. Theofanos. 2019. A phish scale: Rating human phishing message detection difficulty. In Proceedings of the Workshop on Usable Security (USEC’19).

[120]

Timothy Summers, Kalle J. Lyytinen, Tony Lingham, and Eugene A. Pierce. 2013. How hackers think: A study of cybersecurity experts and their mental models. In Proceedings of the 3rd Annual International Conference on Engaged Management Scholarship. https://dx.doi.org/10.2139/ssrn.2326634

[121]

Matt Taddy. 2012. On estimation and selection for topic models. In Proceedings of the 15th International Conference on Artificial Intelligence and Statistics, Vol. 22. 1184–1193. http://proceedings.mlr.press/v22/taddy12.html.

[122]

Ronnie Taib, Kun Yu, Shlomo Berkovsky, Mark Wiggins, and Piers Bayl-Smith. 2019. Social engineering and organisational dependencies in phishing attacks. In Proceedings of the IFIP Conference on Human-Computer Interaction. 564–584.

[123]

Dean Takahashi. 2020. Unit 42: Phishing Attacks are Thriving During the Pandemic. Retrieved July 9, 2021 from https://venturebeat.com/2020/04/14/unit-42-phishing-attacks-are-thriving-during-the-pandemic/.

[124]

Hong Tang, Li Shen, Yinfeng Qi, Yunhao Chen, Yang Shu, Jing Li, and David A. Clausi. 2012. A multiscale latent Dirichlet allocation model for object-oriented clustering of VHR panchromatic satellite images. IEEE Transactions on Geoscience and Remote Sensing 51, 3 (2012), 1680–1692.

[125]

Joe Tidy. 2020. Google Blocking 18m Coronavirus Scam Emails Every Day. Retrieved July 9, 2021 from https://www.bbc.com/news/technology-52319093.

[126]

Richard J. Torraco. 2005. Writing integrative literature reviews: Guidelines and examples. Human Resource Development Review 4, 3 (2005), 356–367.

[127]

Cybersecurity Ventures. 2020. Cybercrime to Cost the World $10.5 Trillion Annually by 2025. Retrieved June 10, 2021 from https://cybersecurityventures.com/cybercrime-damage-costs-10-trillion-by-2025.

[128]

Jingguo Wang, Tejaswini Herath, Rui Chen, Arun Vishwanath, and H. Raghav Rao. 2012. Research article phishing susceptibility: An investigation into the processing of a targeted spear phishing email. IEEE Transactions on Professional Communication 55, 4 (2012), 345–362.

[129]

Rick Wash and Molly M. Cooper. 2018. Who provides phishing training? Facts, stories, and people like me. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems (CHI’18). ACM, New York, NY.

Digital Library

[130]

Zikai Alex Wen, Zhiqiu Lin, Rowena Chen, and Erik Andersen. 2019. What.Hack: Engaging anti-phishing training through a role-playing phishing simulation game. In Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems (CHI’19). ACM, New York, NY.

Digital Library

[131]

Emma J. Williams, Amy Beardmore, and Adam N. Joinson. 2017. Individual differences in susceptibility to online influence: A theoretical review. Computers in Human Behavior 72 (2017), 412–421.

Digital Library

[132]

Emma J. Williams, Joanne Hinds, and Adam N. Joinson. 2018. Exploring susceptibility to phishing in the workplace. International Journal of Human-Computer Studies 120 (2018), 1–13.

[133]

Nick Williams and Shujun Li. 2017. Simulating human detection of phishing websites: An investigation into the applicability of the ACT-R cognitive behaviour architecture model. In Proceedings of the 2017 3rd International Conference on Cybernetics (CYBCONF’17). IEEE, Los Alamitos, CA, 1–8.

[134]

Claes Wohlin. 2014. Guidelines for snowballing in systematic literature studies and a replication in software engineering. In Proceedings of the 18th International Conference on Evaluation and Assessment in Software Engineering. 1–10.

Digital Library

[135]

Jeremy M. Wolfe, Todd S. Horowitz, and Naomi M. Kenner. 2005. Rare items often missed in visual searches. Nature 435, 7041 (2005), 439–440.

[136]

Yonghui Wu, Mei Liu, W. Jim Zheng, Zhongming Zhao, and Hua Xu. 2012. Ranking gene-drug relationships in biomedical literature using latent Dirichlet allocation. In Proceedings of the 2012 Pacific Symposium on Biocomputing. 422–433.

[137]

Aiping Xiong, Robert W. Proctor, Weining Yang, and Ninghui Li. 2018. Embedding training within warnings improves skills of identifying phishing webpages. Human Factors: The Journal of the Human Factors and Ergonomics Society 61, 4 (2018), 577–595.

[138]

Aiping Xiong, Robert W. Proctor, Weining Yang, and Ninghui Li. 2019. Embedding training within warnings improves skills of identifying phishing webpages. Human Factors: The Journal of the Human Factors and Ergonomics Society 61, 4 (2019), 577–595.

[139]

Jeff Yan, Alan Blackwell, Ross Anderson, and Alasdair Grant. 2004. Password memorability and security: Empirical results. IEEE Security & Privacy 2, 5 (2004), 25–31.

Digital Library

[140]

Shuangyan Yi, Zhihui Lai, Zhenyu He, Yiu Ming Cheung, and Yang Liu. 2017. Joint sparse principal component analysis. Pattern Recognition 61 (2017), 524–536. https://doi.org/10.1016/j.patcog.2016.08.025

Digital Library

[141]

Zhijun Yin, Liangliang Cao, Jiawei Han, Chengxiang Zhai, and Thomas Huang. 2011. Geographical topic discovery and comparison. In Proceedings of the 20th International Conference on World Wide Web (WWW’11). 247–256.

Digital Library

[142]

Kun Yu, Ronnie Taib, Marcus A. Butavicius, Kathryn Parsons, and Fang Chen. 2019. Mouse behavior as an index of phishing awareness. In Proceedings of the IFIP Conference on Human-Computer Interaction. 539–548.

[143]

Xichen Zhang and Ali A. Ghorbani. 2020. Human factors in cybersecurity: Issues and challenges in big data. In Security, Privacy, and Forensics Issues in Big Data. IGI Global, 66–96.

[144]

Yin Zhang, Min Chen, Dijiang Huang, Di Wu, and Yong Li. 2017. iDoctor: Personalized and professionalized medical recommendations based on hybrid matrix factorization. Future Generation Computer Systems 66 (2017), 30–35.

Digital Library

[145]

Rui Zhao, Samantha John, Stacy Karas, Cara Bussell, Jennifer Roberts, Daniel Six, Brandon Gavett, and Chuan Yue. 2016. The highly insidious extreme phishing attacks. In Proceedings of the 25th International Conference on Computer Communication and Networks (ICCCN’16). IEEE, Los Alamitos, CA.

Cited By

Hou WCui BChen YLi RSong W(2025)TSFF: A Triple-Stream Feature Fusion Method for Ethereum Phishing Scam DetectionIEEE Internet of Things Journal10.1109/JIOT.2024.347377112:3(2623-2632)Online publication date: 1-Feb-2025
https://doi.org/10.1109/JIOT.2024.3473771
Yasin AFatima RWen LJiangBin ZNiazi M(2025)What goes wrong during phishing education? A probe into a game-based assessment with unfavorable resultsEntertainment Computing10.1016/j.entcom.2024.10081552(100815)Online publication date: Jan-2025
https://doi.org/10.1016/j.entcom.2024.100815
Althobaiti KAlsufyani N(2024)A review of organization-oriented phishing researchPeerJ Computer Science10.7717/peerj-cs.248710(e2487)Online publication date: 27-Nov-2024
https://doi.org/10.7717/peerj-cs.2487
Show More Cited By

Index Terms

Human Factors in Phishing Attacks: A Systematic Literature Review
1. Human-centered computing
  1. Human computer interaction (HCI)
2. Security and privacy
  1. Human and societal aspects of security and privacy
  2. Intrusion/anomaly detection and malware mitigation
    1. Social engineering attacks
      1. Phishing

Recommendations

Mitigating Phishing Attacks: An Overview
ACMSE '19: Proceedings of the 2019 ACM Southeast Conference

Social engineering is the process of getting a person to provide a service or complete a task that may give away private or confidential information. Phishing is the most common type of social engineering. In phishing, an attacker poses as a trustworthy ...
Defending against phishing attacks: taxonomy of methods, current issues and future directions

Internet technology is so pervasive today, for example, from online social networking to online banking, it has made people's lives more comfortable. Due the growth of Internet technology, security threats to systems and networks are relentlessly ...
Fighting against phishing attacks: state of the art and future challenges

In the last few years, phishing scams have rapidly grown posing huge threat to global Internet security. Today, phishing attack is one of the most common and serious threats over Internet where cyber attackers try to steal user's personal or financial ...

Comments

Information & Contributors

Information

Published In

cover image ACM Computing Surveys

ACM Computing Surveys Volume 54, Issue 8

November 2022

754 pages

ISSN:0360-0300

EISSN:1557-7341

DOI:10.1145/3481697

Editor:
Albert Zomaya
University of Sydney, Australia

Issue’s Table of Contents

Copyright © 2021 Association for Computing Machinery.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 October 2021

Accepted: 01 June 2021

Revised: 01 May 2021

Received: 01 July 2020

Published in CSUR Volume 54, Issue 8

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Survey
Refereed

Funding Sources

Italian Ministry of University and Research (MUR)
PON projects LIFT, TALIsMAn, and SIMPLe
“Dipartimento di Eccellenza”
DATACLOUD, DESTINI, and FIRST
RoMA—Resilience of Metropolitan Areas

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

47
Total Citations
View Citations
4,139
Total Downloads

Downloads (Last 12 months)1,303
Downloads (Last 6 weeks)100

Reflects downloads up to 25 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Hou WCui BChen YLi RSong W(2025)TSFF: A Triple-Stream Feature Fusion Method for Ethereum Phishing Scam DetectionIEEE Internet of Things Journal10.1109/JIOT.2024.347377112:3(2623-2632)Online publication date: 1-Feb-2025
https://doi.org/10.1109/JIOT.2024.3473771
Yasin AFatima RWen LJiangBin ZNiazi M(2025)What goes wrong during phishing education? A probe into a game-based assessment with unfavorable resultsEntertainment Computing10.1016/j.entcom.2024.10081552(100815)Online publication date: Jan-2025
https://doi.org/10.1016/j.entcom.2024.100815
Althobaiti KAlsufyani N(2024)A review of organization-oriented phishing researchPeerJ Computer Science10.7717/peerj-cs.248710(e2487)Online publication date: 27-Nov-2024
https://doi.org/10.7717/peerj-cs.2487
Albarrak A(2024)Integration of Cybersecurity, Usability, and Human-Computer Interaction for Securing Energy Management SystemsSustainability10.3390/su1618814416:18(8144)Online publication date: 18-Sep-2024
https://doi.org/10.3390/su16188144
Fan ZLi WLaskey KChang K(2024)Investigation of Phishing Susceptibility with Explainable Artificial IntelligenceFuture Internet10.3390/fi1601003116:1(31)Online publication date: 17-Jan-2024
https://doi.org/10.3390/fi16010031
Katsarakes EEdwards MStill J(2024)Where Do Users Look When Deciding If a Text Message is Safe or Malicious?Proceedings of the Human Factors and Ergonomics Society Annual Meeting10.1177/1071181324126420468:1(221-225)Online publication date: 12-Aug-2024
https://doi.org/10.1177/10711813241264204
Jayasundara SGamagedara Arachchilage NRussello G(2024)SoK: Access Control Policy Generation from High-level Natural Language RequirementsACM Computing Surveys10.1145/370605757:4(1-37)Online publication date: 28-Nov-2024
https://dl.acm.org/doi/10.1145/3706057
Guo SFan Y(2024)X-Phishing-Writer: A Framework for Cross-lingual Phishing E-mail GenerationACM Transactions on Asian and Low-Resource Language Information Processing10.1145/367040223:7(1-34)Online publication date: 26-Jun-2024
https://dl.acm.org/doi/10.1145/3670402
Kanaoka AIsohara T(2024)Enhancing Smishing Detection in AR Environments: Cross-Device Solutions for Seamless Reality2024 IEEE Conference on Virtual Reality and 3D User Interfaces Abstracts and Workshops (VRW)10.1109/VRW62533.2024.00108(565-572)Online publication date: 16-Mar-2024
https://doi.org/10.1109/VRW62533.2024.00108
Greco MChang RGaldames P(2024)Educational Phishing: An Awareness Campaign to Learn How to Detect Phishing2024 43rd International Conference of the Chilean Computer Science Society (SCCC)10.1109/SCCC63879.2024.10767670(1-5)Online publication date: 28-Oct-2024
https://doi.org/10.1109/SCCC63879.2024.10767670
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Figures

Tables

Media

View Issue’s Table of Contents